EA/Origin account hacked: Is this a new thing?

Go to page

Member

Story goes, received an email very early Friday morning last week (around 4:00am Australia time) about my email address being changed for my Origin account. Didn't think anything of it (I first saw the email when I woke up for work early on Friday and quickly forgot about it).

Tried getting in today, Origin doesn't recognise my username. Or my email address. Had to create a new, dummy account just so i could raise a case about my old account because basically *all* the details must have been changed in it.

This appears to be a fresh wave, too. Possibly coinciding with the ability to change an Origin username at will (though I'm not sure exactly when this was implemented).

Here are some links to threads on their forum from within the last few days that contain individual cases of this exact same thing happening:

I can't recall if there was anything incredibly sensitive in there (I don't remember using a credit card at all with that account, just used it to register keys bought from Amazon etc.) but exactly the same thing is happening to a LOT of people.

So, if you haven't checked in on your Origin account recently, you should login and make sure that everything is working fine. I didn't have anything that could've been guessed about my account (such as the password, security questions etc.) yet my account has been certainly hijacked.

It also exposes a huge, gaping flaw in EA's security system, given that:
a) there's no mention in the email of what it was changed *from*
b) there isn't a confirmation asking for the email address to be changed
c) people trying to raise cases about this with their online help/chat thing are getting knocked back because they have their own dates of birth wrong

Stormy Grey

Member

Sad to see they are still so inept. They have done a terrible job of protecting consumers against theft and fraud this generation, would live to know the dollar value of all the games stolen or taken through the FIFA stuff.

Member

Every time I log into my origin account (I don't save my password so I have to enter it in manually) it says my username/origin account/ password) is wrong. This has happened twice in the past hour or so.

I have to choose forget password in which I enter my email address, then they send me this huge code to reset my password.

Banned

Member

Every time I log into my origin account (I don't save my password so I have to enter it in manually) it says my username/origin account/ password) is wrong. This has happened twice in the past hour or so.

I have to choose forget password in which I enter my email address, then they send me this huge code to reset my password.

I don't think you've been affected by this though (or at least, not exactly the same thing) because you can actually use your existing email account to reset your password. Because whoever it was changed both my account name AND my email address, I have no way of knowing what they were set to.

The guy's video I posted said he was lucky because he'd used the Facebook authentication as well and the hijackers had forgotten to change it (or it can't be removed, perhaps?) but if you're account's been broken into and your username and email have been changed, what hope do you have of getting anything back yourself?

Fucking pathetic work by EA. I wonder if it affects pre-Origin games like The Saboteur as well. I'll have to try that tonight. Until then, no Autolog for NFS:HP either. I'd be even more pissed as hell if I'd bought NFS:MW and couldn't play it (potentially even losing progress) as well.

I'm still not sure how they can change that email in the first place, because I think that's the core of the issue. Obviously they're bypassing whatever confirmation is normally needed to do such a thing, because I don't think they're getting into accounts right away via brute forcing a password. My gut says they're social engineering the account to get EA to change the email address... and I think the key is the DOB which they're probably guessing randomly via bots or something.

Member

You can reset your EA account using a linked account, such as an XBL tag. I did that, and got this:

I just wish I could login using my XBL account rather than the Origin one

Edit: YES! FUCKING AWESOME! Sort of.
For those following, it looks like the link to my XBL account still worked, so I was able to download the EA Sports "app" on the 360 and log into it to suss out some info:

The fucking thing won't let me change the email ("Unable to update your account info at this time") but at least I can see the email they used. I can't see the account name though, I don't think. But it's a start!

Member

This is why I use Gmail for my emails and then use its secondary confirmation thingie whenever someone tries to access it on a different computer. Unless they have a way of knowing your Origin account's password firsthand, they have to have the password reset and sent to your email, and unless they can access your email, they're still stuck.

Member

So, I might try with something that isn't EA Sports. Can anyone think of a demo that would use EA's online shit that is just a regular game?

Edit: I've tried Burnout Paradise and Brutal Legend, they're the only ones I could think of. I'm not sure if there's anything EA/Origin related connected to Rock Band, but that might be something else to check.

Member

I'm trying to get my account back for 3 weeks now. I don't remember what I've put in as my birthday. So they say I'm basically fucked. Apparently having the keys from your games isnt enough proof. Fuck you ea

Banned

I'm trying to get my account back for 3 weeks now. I don't remember what I've put in as my birthday. So they say I'm basically fucked. Apparently having the keys from your games isnt enough proof. Fuck you ea

Banned

yeah that shitty if they don't tell you that it will be used for account recovery. It is the same as using precision adress. , . ; all that things are fucking stupid. If someone stole your password you birth date also could be changed already same as almost any other information.

So "smh" dude

I was in same position as him with my first US account after PSN fiasco.

Banned

It was bound to happen. Every service that uses accounts is targeted at some point in time. Hopefully EA can iron their security issues out quickly. And those of you complaining about EA using your date of birth to identify your account, well, I guess that'll teach you to enter a bogus birthdate since many companies use the same method to check identities.

Hacked by a website that hacks accounts. Gee, I wonder what they were doing on this website? Sounds like one of those "FREE ORIGIN GAMES" or "RANK UP IN BF3 AUTOMATICALLY" scam websites and they fell for it.

Banned

yeah that shitty if they don't tell you that it will be used for account recovery. It is the same as using precision adress. , . ; all that things are fucking stupid. If someone stole your password you birth date also could be changed already same as almost any other information.

So "smh" dude

I was in same position as him with my first US account after PSN fiasco.

3 - If the address wasn't a "precision adress" (sic) ie - you had it slightly incorrect, I am sure they would be able to establish you were the correct owner by the information you were able to provide about the account. Regardless, address is not a recognised way of proving identity as someone's address information is a lot more public domain than their DOB (usually DOB in conjunction with some other information that only you would know, such as payment methods, secret word etc)

4 - If someone stole your password and changed your DOB do you not think that would be visible to the customer service rep who would be able to tell what your original DOB was?

Essentially, for someone to lose access to their account here they have to have a) visited a dodgy website and downloaded some malware to perform some such "function"; b) not given a legitimate date of birth on registration. There are many, many things that EA can quite rightfully be called out on, but there is no way on earth that EA should be taking the hit for end-user stupidity.

Member

Which one of those would I fall into? My DOB certainly wasn't fake on registration (I don't know how that would lead to an account being compromised anyway, even if it's fake it's still essentially a random number) and I assure you I haven't logged into any even remotely suspicious websites that use the same login I used for Origin.

The fact that there are so many cases that have popped up within the space of a few days indicates that there's something inherently wrong with EA's security surrounding accounts, not the users.

But hey, feel free to blame the end-user on this. I'm sure they all *adore* hearing how stupid they are right after they lost access to potentially hundreds of dollars worth of games.

listen to the mad man

Essentially, for someone to lose access to their account here they have to have a) visited a dodgy website and downloaded some malware to perform some such "function"; b) not given a legitimate date of birth on registration. There are many, many things that EA can quite rightfully be called out on, but there is no way on earth that EA should be taking the hit for end-user stupidity.

Member

Or it was a crappy throwaway account that EA forced you to make just to play multiplayer on console so you just put in whatever you could enter fastest... and then EA turned it into a full blown EA/Origin account later on without even asking.

Member

Well, looking up that email address used in Origin has brought up this little cunt's profile:

For some reason, it looks like the support case I created has completely disappeared (or I'm just not looking in the right support area, their support/feedback area is a fucking mess) so I'm going to create another case and put in the existing case's reference number.

Member

As far as i can remember i put in my real date of birth like i do with all my accounts, i must have made a little mistake.

And having only 1 way to ensure it is that persons account is fucking retarded.
They basically said i was never getting it back despite having the email, account persona's, receipts, the visa number i used and the redeem codes for my games.

Cock Encumbered

Thank god for Steam Guard. It allowed me to stop worry about my little brother with his Steam account (he got it stolen once prior to Steam Guard). I just had to make sure he used different passwords for his Steam and e-mail lol.

Or your friends use predictable/the same passwords for everything they have. That is usually the case of when game accounts get compromised, I learned the hard way with Guild Wars 2 and now I use lastpass for everything now.

Banned

Its amazing how stupid EA is in some ways compared to valve while intelligent in others. Valve cant grasp the concept of me deleting steam could data easily. You have to fuck around with desyncing and then deleting folders named random gibberish of numbers. EA just has a single button you press. A single damn button.

Yet here we are where EA cant make a proper system to retrieve stolen accounts or secure them in a redundant fashion.

Member

Just got off the phone with EA support, have access back to my account again now... what a pain in the ass, it had been hacked by somebody and renamed to "stainlessup2" whatever the fuck that is.

Mother f**kers.

Have spent the last 30 mins changing all my passwords everywhere I can think of =0)

EDIT - just spoke to one of my friends, and completely coincidentally they were hacked today as well. I have also noticed a few posts on the official EA forums about it, so something went down today for sure.

Banned

Just got off the phone with EA support, have access back to my account again now... what a pain in the ass, it had been hacked by somebody and renamed to "stainlessup2" whatever the fuck that is.

Mother f**kers.

Have spent the last 30 mins changing all my passwords everywhere I can think of =0)

EDIT - just spoke to one of my friends, and completely coincidentally they were hacked today as well. I have also noticed a few posts on the official EA forums about it, so something went down today for sure.

Banned

Last year my steam account was hacked bastards traded away my soldier medal. Steam couldn't do anything for me except grant me access back to my account after a week long process. I feel for you dude, shit is lame.